# Envoy Gateway Configuration This document explains how the Envoy gateway is configured and how to modify it. ## Files - envoy.yaml: ConfigMap + Deployment + Service for Envoy ## Current Behavior - Envoy listens on port 8080 in the Pod and exposes port 80 via a ClusterIP Service. - All HTTP traffic is routed to user-api only. - gRPC is not exposed by this gateway. ## Routing In envoy.yaml, routes are defined under: static_resources -> listeners -> http_connection_manager -> route_config -> virtual_hosts The current routing rules are: - All requests (prefix: "/") -> cluster: user-api To add a new HTTP service, add a new route above the default route and define a new cluster. Example: route /order to order-api-svc:8899 1) Add a route match: - match: prefix: "/order" route: cluster: order-api 2) Add a cluster: - name: order-api connect_timeout: 2s type: STRICT_DNS lb_policy: ROUND_ROBIN load_assignment: cluster_name: order-api endpoints: - lb_endpoints: - endpoint: address: socket_address: address: order-api-svc.juwan.svc.cluster.local port_value: 8899 ## CSRF Protection Envoy uses a Lua filter for CSRF validation: - Safe methods (GET/HEAD/OPTIONS): - If csrf_token cookie is missing, Envoy generates one and sets it in the response. - Unsafe methods (POST/PUT/PATCH/DELETE, etc): - Requires BOTH: - header: X-CSRF-Token - cookie: csrf_token - Values must match, otherwise Envoy returns 403. If you want a different cookie name or header name, update these in the Lua code: - Header: x-csrf-token - Cookie: csrf_token To relax or tighten rules, edit the functions: - is_safe(method) - envoy_on_request(request_handle) ## Cookie Attributes Current Set-Cookie: csrf_token=; Path=/; SameSite=Strict To add Secure or HttpOnly, update the string in envoy_on_response. ## Deployment Apply or update: kubectl apply -f deploy/k8s/envoy/envoy.yaml ## Common Changes - Change listening port: - Update listener port_value and Service targetPort/port. - Change service namespace: - Update cluster DNS addresses (e.g. service.ns.svc.cluster.local). - Add more services: - Add route + add cluster, as shown above.